Yesterday, the European Commission (EC) adopted its long-awaited decision endorsing the EU-US privacy shield. This is the latest milestone in restoring a stable legal basis for transatlantic flows of personal data, since the Court of Justice of the EU annulled the EU-US Safe Harbor program in its judgment in the Schrems case in October 2015.
As early as August 1, US companies will be able to sign up to the revised program with the US Department of Commerce. Significantly, the Privacy Shield provides protection of personal data that brings the program significantly closer to EU data protection rules than was the Safe Harbor. In addition, the US intelligence community has made significant new representations regarding the limitations on mass surveillance under US law. Although the Privacy Shield imposes greater compliance burdens on companies than the Safe Harbor, the majority of the 4,500 companies that were previously certified under the Safe Harbor are expected to recertify under the Privacy Shield, and others may be tempted to join in.
This said, this milestone may not be the final one. Privacy activists may be tempted to continue the fight at the European Court of Justice. However, as the EC has arguably now carried out a full-fledged adequacy review, any challenge should differ from the Schrems case in a number of important respects. At this juncture, it is simply too early to tell what the final position of the EU court will be.
More information on the Privacy Shield is available here.